We use a .NET library called Newtonsoft.Json for working with Json files in one of our applications. Yesterday GitHub posted an advisory of a vulnerability with this library. There is no CVE yet for this vulnerability: Improper Handling of Exceptional Conditions in Newtonsoft.Json · GHSA-5crp-9r3c-p9vr · GitHub Advisory Database · GitHub
I’m wondering if SonarCloud’s vulnerability scanning would detect this type of issue or if there is documentation around how vulnerability scanning rules are developed and added to handle new vulnerabilities when they are disclosed.
I want to clarify what exactly you are asking because I think I see multiple potential questions in this post:
- Could Sonar have detected GHSA-5crp-9r3c-p9vr before GitHub if it scanned Newton.Json’s code?
- Can Sonar detect vulnerabilities leading to (De)Serialization-induced DOS attacks?
- Can Sonar detect if my code is vulnerable to GHSA-5crp-9r3c-p9vr? (implying that your code uses Newton.Json)
- How can I, as a user, add more checks when a vulnerability is publicly disclosed? (Security Engine Custom Configuration | SonarQube Docs)
Are you asking one (or multiple) of these questions?
Thanks a lot for this question! and thank you for your patience
Have a good day,